CA2373017A1 - Method and system for fraud detection in telecommunications - Google Patents
Method and system for fraud detection in telecommunications Download PDFInfo
- Publication number
- CA2373017A1 CA2373017A1 CA002373017A CA2373017A CA2373017A1 CA 2373017 A1 CA2373017 A1 CA 2373017A1 CA 002373017 A CA002373017 A CA 002373017A CA 2373017 A CA2373017 A CA 2373017A CA 2373017 A1 CA2373017 A1 CA 2373017A1
- Authority
- CA
- Canada
- Prior art keywords
- sub
- event data
- periods
- profile
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/43—Billing software details
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/47—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/70—Administration or customization aspects; Counter-checking correct charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/70—Administration or customization aspects; Counter-checking correct charges
- H04M15/73—Validating charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0148—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/22—Bandwidth or usage-sensitve billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/32—Involving wireless systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/70—Administration aspects, modify settings or limits or counter-check correct charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/70—Administration aspects, modify settings or limits or counter-check correct charges
- H04M2215/7072—Validate charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/2218—Call detail recording
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/36—Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method and apparatus for profiling a flow of event data packets. The method comprises the steps of: receiving data defining sub-periods which partition a base time period, creating a profile of recent behaviour for each sub-period, and allocating each event data packet to one of the sub-periods according to a time indication associated with the event data packet. The method and apparatus may be used in anomaly detection within data streams and, in particular, account fraud detection where the event data relates to account usage.
Description
WO 00/67460 _ 1 _ PCT/GB00/01676 METHOD AND SYSTEM FOR FRAUD DETECTION IN TELECOMMUNICATIONS
FIELD OF THE INVENTION
The present invention relates to a method and apparatus for performing s pattern recognition within event streams, and a system incorporating the same.
BACKGROUND TO THE INVENTION
In recent years there has been a rapid increase in the number of commercially operated telecommunications networks in general and in to particular wireless telecommunication networks. Associated with this proliferation of networks is a rise in fraudulent use of such networks the fraud typically taking the form of gaining illicit access to the network, and then using the network in such a way that the fraudulent user hopes subsequently to avoid paying for the resources used. This may for Is example involve misuse of a third party's account on the network so that the perpetrated fraud becomes apparent only when the third party is charged for resources which he did not use.
Since fraudulent use of a single account can cost a network operator a large sum of money within a short space of time it is important that the 20 operator be able to identify and deal with the most costly forms of fraud at the earliest possible time.
One of the steps employed in, but not limited to use in, such fraud detection systems is pattern recognition from event streams.
Pattern recognition for event streams can be achieved by building up 2s profiles of the behaviour of an entity and performing pattern recognition over these profiles. In order for an entity to be profiled in this way, the entity must be able to have events associated with it. Examples of entities are: a single subscriber in a telephone network, a user accessing a data network, a switch in a telephone network or a server in a data network.
3o The events to be associated with the user must be able to be represented in an Event Data Packet (EDP). The profiles of entities behaviour are WO 00/67460 _ 2 _ PCT/GB00/01676 compared with known patterns of unacceptable behaviour to determine if the system should alert the end user to the entities behaviour pattern.
The flow of Event Data Packets 110 of information through a profiling pattern recognition system is shown in Figure 1. The Recent profile 130 s represents the typical usage for the entity over a recent period of time, approximately the last week. The Historical profile 140 represents the typical use for the entity over a preceding and longer time period, for example approximately the last six weeks. The EDPs are all accumulated into Polls of information. A Poll 120 is a set of EDPs received over a to particular time period (e.g. 4 hours). The Poll information is then used to update the values in the Recent profile, and the Recent profile is then used to update the values in the Historical profile. The solid arrow between the EDPs and the Poll indicates that the information in each Poll is directly created from the EDPs. The dotted arrow between the Poll and Is the Recent indicates that the Poll information is used only to update the Recent behaviour, as is true for the Recent to Historical.
In an example where the EDPs are Call Detail Records (CDRs) and the profiles represent voice telephony usage is given the profiles may consist of number of calls made and the duration of national and international 2o calls. Table 1 shows an example of Recent and Historical profiles for such an example.
Period Calls National International Duration Duration sec sec Recent 2.5 300 200 Profile Historic 2.0 250 200 Profile Table 1: Voice telephony recent and historic profile example WO 00/67460 _ 3 _ PCT/GB00/01676 If subsequent CDRs create a Poll of:
~ calls 3, ~ nationa1500, ~ internationa1100.
s Then after polling and once all updates to Recent and Historic profiles have completed the Recent and Historic profiles may be as shown in Table 2.
The new recent profile is derived from the previous recent profile plus a proportion of the difference between the new and old recent profiles Io The new historic profile is derived from the previous historic profile plus a proportion of the difference between the new and old historic profiles, but the proportions typically differ from that of the recent profile case in that a higher proportion of the old historic profile is taken.
Period Calls National International Duration Duration s s Recent 2.75 280 175 Profile Historic 2.1 255 195 Profile is Table 2: Voice telephony recent and historic profile example after update It can be seen that the Recent profile has moved towards the newly added Poll profile and the Historic toward the previous Recent profile.
These profiles provide a view of the entity's behaviour and how it changes 20 over time. The profiles of behaviour can then be used for pattern recognition to identify which entity's behaviour reflects patterns to which the user of system wishes to be alerted.
WO 00/67460 _ 4 _ PCT/GB00/01676 There are however the following limitations to the method described above:
The Recent and Historic profiles are built up from a series of Poll profiles.
In order for the Recent and Historic profiles to maintain their integrity all s Poll profiles must cover the same amount of time, for example a 4 hour period.
The period of time the Polls must all cover must not be too small, otherwise natural variations in behaviour will appear to be anomalous. A
typical recommended minimum is two hours.
to These two limitations, taken in consideration, mean that this method cannot be used for real time data feeds.
It is also incumbent upon the user to ensure that the data given to the product is split into appropriately sized chunks. This can be a burden to the user if, for example, hardware downtime means it is necessary to feed Is a backlog of data into the system.
The profiles generated only represent the active periods for the user, this means that a user who is active in only one two hour period a week could have a similar profile to a user who is active in twenty of the two hour periods in a week.
2o The nature of the data in the profile - as an average of activity in all X
minute periods where the user had actually been active - where X is the duration of the Poll, is not intuitive to many end users of the system.
In order for pattern recognition to occur effectively, the known patterns have to be represented in the same time period that the systems polls 2s over. This can increase training times for the account fraud detection system which analyses the Poll, Recent profile, and Historical profile information in order to identify anomalies.
OBJECT OF THE INVENTION
The invention seeks to provide an improved method and apparatus for 3o behavioural pattern recognition for event streams in general and for event streams in an account fraud detection systems in particular.
WO 00/67460 _ 5 _ PCT/GB00/01676 SUMMARY OF THE INVENTION
According to a first aspect of the present invention there is provided a method of profiling a flow of event data packets comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base s time period; creating a profile of recent behaviour for each of said sub-periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
The method may also comprise the steps of: creating a profile of historical behaviour for each of said sub-periods; at the end of said Base Time io Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
The method may also comprise the steps of: calculating an Event density for at least one of said Recent profiles.
Is In a preferred embodiment, the said step of calculating an Event density comprises the steps of: identifying a current time; identifying a Recent profile within which said current time falls; dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period 2o associated with said Recent profile.
Said Event Data may correspond to time intervals of differing length.
The method may be used to capture a representation of inactivity within said flow.
The method may also be used to permit trend analysis for an initial sub-2s period during said sub-period.
According to a further aspect of the present invention there is provided a method of performing anomaly detection on a stream of Event Data Packets and comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile 3o for each of said sub-periods; allocating each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
WO 00/67460 _ 6 _ PCT/GB00/01676 According to a further aspect of the present invention there is provided a method of account fraud detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods; receiving a series s of Event Data Packets relating to account use; allocating each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
In a preferred embodiment account use relates to telecommunications network use.
io In a preferred embodiment said Event Data Packets are call detail records.
According to a further aspect of the present invention there is provided a method of network intrusion detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period;
Is creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
In a preferred embodiment said Event Data Packets relate to network 2o audit log data.
In a preferred embodiment said Event Data Packets relate to IP packet data.
According to a further aspect of the present invention there is provided a system for profiling a flow of event data packets comprising: apparatus 2s arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create and store a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
3o The system may be arranged to receive a plurality of flows and to perform processing on each flow independently of each other.
According to a further aspect of the present invention there is provided a system for performing anomaly detection on a stream of Event Data WO 00/67460 _ 7 _ PCT/GB00/01676 Packets and comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
According to a further aspect of the present invention there is provided a system for account fraud detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent to behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
According to a further aspect of the present invention there is provided a system for network intrusion detection comprising: apparatus arranged to is receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
2o The invention also provides for a system for the purposes profiling a flow of event data packets which comprises one or more instances of apparatus embodying the present invention, together with other additional apparatus.
According to a further aspect of the present invention there is provided 2s software on a machine readable medium arranged for profiling a flow of event data packets by: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub periods according to a time indication associated with said Event Data 3o Packet.
The preferred features may be combined as appropriate, as would be apparent to a skilled person, and may be combined with any of the aspects of the invention.
WO 00/67460 _ g _ PCT/GB00/01676 BRIEF DESCRIPTION OF THE DRAWINGS
In order to show how the invention may be carried into effect, embodiments of the invention are now described below by way of example only and with reference to the accompanying figures in which:
s Figure 1 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the prior art;
Figure 2 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the present invention.
DETAILED DESCRIPTION OF INVENTION
io The method proposed here is illustrated in Figure 2. The EDPs 210 (in this example taking the form of Call Detail Records (CDRs)) again feed into a Poll 220 of information and the Poll information is used to update the values in the Recent profiles 230a-f In this case each entity has associated with it multiple Recent Profiles (six are shown but more or is fewer may be used), where each Recent profile represents a period of time within a week (though a larger or shorter base period could be used), for example Saturday and Sunday between midnight and Sam. The Recent Profiles together cover the whole of a week period. Each Recent Profile has a related Historic Profile 240a-f which covers the same time 2o period.
Recent Profiles are filled until they contain all the data for the time period they cover. Once filled the values are used to update the corresponding Historic profile, and then the Recent profile values are reset to zero, and filled with the next CDRs in the time covered by the profile.
2s For example, a customer of voice telephony may have the Recent profiles of behaviour illustrated in Table 3 and corresponding Historic profiles illustrated in Table 4.
Profile Period Calls National International Number Duration Duration s s WO 00/67460 _ 9 _ PCT/GB00/01676 1 Weekdays, 1 25 0 0:00 - 08:00 2 Weekdays, 10 500 400 08:00 - 18:00 3 Weekdays, 0 0 0 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 Weekends, 5 255 15 08:00 - 18:00 6 Weekends, 0 0 0 18:00 - 24:00 Table 3: Voice telephony recent profiles example Profile Period Calls National International Number Duration Duration s s 1 Weekdays, 1.5 30 2 0:00 - 08:00 2 Weekdays, 8.5 800 250 08:00 - 18:00 3 Weekdays, 2 25 15 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 5 Weekends, 2 25 19 08:00 - 18:00 6 Weekends, 0 0 0 WO 00/67460 _ 10 _ PCT/GB00/01676 18;00 - 24:00 Table 4: Voice telephony historic profiles example A collection of Event Data (CDRs) is then presented to the system. The CDRs cover lam on a Monday through to 1 pm on the same Monday. The previous collection of data presented to the system had contained a CDR
s for Sam on the same Monday.
The CDR at lam is added to Recent Profile 1. When this profile is 'complete' the historic profile is updated. When the next time period is entered its recent profile values are reset to zero and new values accumulated.
to The Recent and Historical profiles after the data has been processed areas illustrated in Tables 5 and 6 respectively.
Profile Period Calls National International Number Duration Duration s s '1 Weekdays, 2 355 0 0:00 - 08:00 2 Weekdays, 4 300 425 08:00 - 18:00 3 Weekdays, 0 0 0 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 Weekends, 5 255 15 08:00 - 18:00 6 Weekends, 0 0 0 18:00 - 24:00 Table 5: Voice telephony recent profiles after processing WO 00/67460 _ 1 1 _ PCT/GB00/01676 Profile Period Calls National International Number Duration Duration s s 1 Weekdays, 2.0 62.5 1.8 0:00 - 08:00 2 Weekdays, 8.05 750 267.5 08:00 - 18:00 3 Weekdays, 2 25 15 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 Weekends, 2 25 19 08:00 - 18:00 6 Weekends, 0 0 0 18:00 - 24:00 Table 6: Voice telephony historic profiles after processing The only Recent profiles changed are those that cover the same time s period as the CDRs in the poll namely periods 1 and 2. The only Historic profile changed is in period 1, the values in the Recent profile having been used to update the Historic profile. After updating the Historic profile, the Recent profile is then reset to zero before new CDR information is added to it.
to Historic profiles are only updated once the Recent profile has been filled with all the information for that time period. This means that the size of the Poll has no influence over the Historic profiles, and the Recent profiles can contain details for any sub-period of the time period they cover, or the whole time period.
WO 00/67460 _ 12 _ PCT/GB00/01676 The profiles of behaviour are converted into Event Densities before pattern recognition is performed on them. Event Densities are produced by dividing the event data value by the number of seconds in the period during which those events occurred. For example, Table 6 shows an s example set of Historic profile values and the corresponding event densities values where the period covered 14400 seconds (4 hours).
Period Calls National International Duration Duration Historic 10 200 s 300 s Profile Values Event 10 / 14400 200 / 14400 300 / 14400 Densities = 0.00069 = 0.00139 0.02083 Table 7: Voice telephony historic profiles after processing Event densities for historic profiles provide an average of behaviour over io the whole time period. This means that dividing by the number of seconds in the time period gives the normal amount of behaviour in any one second. These are generally small values.
Recent profiles however may or may not contain values for the whole the time period they cover. Frequently the Recent profile that is being is analysed is not yet complete. For example, if ten minutes of event data require analysing for the time period 9.15am to 9.25am then a recent profile that covers the time period Sam to 6pm will be updated, but the time period for this profile is not yet complete. As the period is incomplete the number of seconds to divide by is calculated as follows. The complete 2o time period is divided into blocks of time, for example 30 minutes. A usage period consists of x of these blocks of time. The event data in the current incomplete Recent profile is divided by the number of seconds in the blocks covered so far. So event data covering up to 9.25 am has covered three 30 minute blocks so far and the values are divided by 5400 seconds 2s (90 minutes). Conversion into densities enables pattern recognition to be performed over event data that covers just a portion of the total time period.
WO 00/67460 _ 13 _ PCT/GB00/01676 This method has the advantages that:
~ the polls of event data can be of any size whilst still allowing the profiles produced by the system to maintain their integrity;
~ polls of data for very small time periods can be handled easily;
s ~ the preceding two advantages have the consequence that the system is suitable for both real time feeds and bulk batch feeds of poll data;
~ there is consequently no burden on the end user to divide up the event data into fixed sized chunks; and to ~ the profiles represent accurately the behaviour of the user, including a representative of inactivity by the user, and a representation of the time of use.
This method may be used in several application areas. These include telephony fraud detection using call detail records (CDRs), anomaly is detection on data streams, network intrusion detection using audit log data or IP packet data. The method also provides a means of comparison between recent behaviour and past behaviour for event streams that has potentially wide application for the rapid detection of behavioural changes.
Any range or device value given herein may be extended or altered 2o without losing the effect sought, as will be apparent to the skilled person for an understanding of the teachings herein.
FIELD OF THE INVENTION
The present invention relates to a method and apparatus for performing s pattern recognition within event streams, and a system incorporating the same.
BACKGROUND TO THE INVENTION
In recent years there has been a rapid increase in the number of commercially operated telecommunications networks in general and in to particular wireless telecommunication networks. Associated with this proliferation of networks is a rise in fraudulent use of such networks the fraud typically taking the form of gaining illicit access to the network, and then using the network in such a way that the fraudulent user hopes subsequently to avoid paying for the resources used. This may for Is example involve misuse of a third party's account on the network so that the perpetrated fraud becomes apparent only when the third party is charged for resources which he did not use.
Since fraudulent use of a single account can cost a network operator a large sum of money within a short space of time it is important that the 20 operator be able to identify and deal with the most costly forms of fraud at the earliest possible time.
One of the steps employed in, but not limited to use in, such fraud detection systems is pattern recognition from event streams.
Pattern recognition for event streams can be achieved by building up 2s profiles of the behaviour of an entity and performing pattern recognition over these profiles. In order for an entity to be profiled in this way, the entity must be able to have events associated with it. Examples of entities are: a single subscriber in a telephone network, a user accessing a data network, a switch in a telephone network or a server in a data network.
3o The events to be associated with the user must be able to be represented in an Event Data Packet (EDP). The profiles of entities behaviour are WO 00/67460 _ 2 _ PCT/GB00/01676 compared with known patterns of unacceptable behaviour to determine if the system should alert the end user to the entities behaviour pattern.
The flow of Event Data Packets 110 of information through a profiling pattern recognition system is shown in Figure 1. The Recent profile 130 s represents the typical usage for the entity over a recent period of time, approximately the last week. The Historical profile 140 represents the typical use for the entity over a preceding and longer time period, for example approximately the last six weeks. The EDPs are all accumulated into Polls of information. A Poll 120 is a set of EDPs received over a to particular time period (e.g. 4 hours). The Poll information is then used to update the values in the Recent profile, and the Recent profile is then used to update the values in the Historical profile. The solid arrow between the EDPs and the Poll indicates that the information in each Poll is directly created from the EDPs. The dotted arrow between the Poll and Is the Recent indicates that the Poll information is used only to update the Recent behaviour, as is true for the Recent to Historical.
In an example where the EDPs are Call Detail Records (CDRs) and the profiles represent voice telephony usage is given the profiles may consist of number of calls made and the duration of national and international 2o calls. Table 1 shows an example of Recent and Historical profiles for such an example.
Period Calls National International Duration Duration sec sec Recent 2.5 300 200 Profile Historic 2.0 250 200 Profile Table 1: Voice telephony recent and historic profile example WO 00/67460 _ 3 _ PCT/GB00/01676 If subsequent CDRs create a Poll of:
~ calls 3, ~ nationa1500, ~ internationa1100.
s Then after polling and once all updates to Recent and Historic profiles have completed the Recent and Historic profiles may be as shown in Table 2.
The new recent profile is derived from the previous recent profile plus a proportion of the difference between the new and old recent profiles Io The new historic profile is derived from the previous historic profile plus a proportion of the difference between the new and old historic profiles, but the proportions typically differ from that of the recent profile case in that a higher proportion of the old historic profile is taken.
Period Calls National International Duration Duration s s Recent 2.75 280 175 Profile Historic 2.1 255 195 Profile is Table 2: Voice telephony recent and historic profile example after update It can be seen that the Recent profile has moved towards the newly added Poll profile and the Historic toward the previous Recent profile.
These profiles provide a view of the entity's behaviour and how it changes 20 over time. The profiles of behaviour can then be used for pattern recognition to identify which entity's behaviour reflects patterns to which the user of system wishes to be alerted.
WO 00/67460 _ 4 _ PCT/GB00/01676 There are however the following limitations to the method described above:
The Recent and Historic profiles are built up from a series of Poll profiles.
In order for the Recent and Historic profiles to maintain their integrity all s Poll profiles must cover the same amount of time, for example a 4 hour period.
The period of time the Polls must all cover must not be too small, otherwise natural variations in behaviour will appear to be anomalous. A
typical recommended minimum is two hours.
to These two limitations, taken in consideration, mean that this method cannot be used for real time data feeds.
It is also incumbent upon the user to ensure that the data given to the product is split into appropriately sized chunks. This can be a burden to the user if, for example, hardware downtime means it is necessary to feed Is a backlog of data into the system.
The profiles generated only represent the active periods for the user, this means that a user who is active in only one two hour period a week could have a similar profile to a user who is active in twenty of the two hour periods in a week.
2o The nature of the data in the profile - as an average of activity in all X
minute periods where the user had actually been active - where X is the duration of the Poll, is not intuitive to many end users of the system.
In order for pattern recognition to occur effectively, the known patterns have to be represented in the same time period that the systems polls 2s over. This can increase training times for the account fraud detection system which analyses the Poll, Recent profile, and Historical profile information in order to identify anomalies.
OBJECT OF THE INVENTION
The invention seeks to provide an improved method and apparatus for 3o behavioural pattern recognition for event streams in general and for event streams in an account fraud detection systems in particular.
WO 00/67460 _ 5 _ PCT/GB00/01676 SUMMARY OF THE INVENTION
According to a first aspect of the present invention there is provided a method of profiling a flow of event data packets comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base s time period; creating a profile of recent behaviour for each of said sub-periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
The method may also comprise the steps of: creating a profile of historical behaviour for each of said sub-periods; at the end of said Base Time io Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
The method may also comprise the steps of: calculating an Event density for at least one of said Recent profiles.
Is In a preferred embodiment, the said step of calculating an Event density comprises the steps of: identifying a current time; identifying a Recent profile within which said current time falls; dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period 2o associated with said Recent profile.
Said Event Data may correspond to time intervals of differing length.
The method may be used to capture a representation of inactivity within said flow.
The method may also be used to permit trend analysis for an initial sub-2s period during said sub-period.
According to a further aspect of the present invention there is provided a method of performing anomaly detection on a stream of Event Data Packets and comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile 3o for each of said sub-periods; allocating each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
WO 00/67460 _ 6 _ PCT/GB00/01676 According to a further aspect of the present invention there is provided a method of account fraud detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods; receiving a series s of Event Data Packets relating to account use; allocating each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
In a preferred embodiment account use relates to telecommunications network use.
io In a preferred embodiment said Event Data Packets are call detail records.
According to a further aspect of the present invention there is provided a method of network intrusion detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period;
Is creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
In a preferred embodiment said Event Data Packets relate to network 2o audit log data.
In a preferred embodiment said Event Data Packets relate to IP packet data.
According to a further aspect of the present invention there is provided a system for profiling a flow of event data packets comprising: apparatus 2s arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create and store a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
3o The system may be arranged to receive a plurality of flows and to perform processing on each flow independently of each other.
According to a further aspect of the present invention there is provided a system for performing anomaly detection on a stream of Event Data WO 00/67460 _ 7 _ PCT/GB00/01676 Packets and comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
According to a further aspect of the present invention there is provided a system for account fraud detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent to behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
According to a further aspect of the present invention there is provided a system for network intrusion detection comprising: apparatus arranged to is receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
2o The invention also provides for a system for the purposes profiling a flow of event data packets which comprises one or more instances of apparatus embodying the present invention, together with other additional apparatus.
According to a further aspect of the present invention there is provided 2s software on a machine readable medium arranged for profiling a flow of event data packets by: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub periods according to a time indication associated with said Event Data 3o Packet.
The preferred features may be combined as appropriate, as would be apparent to a skilled person, and may be combined with any of the aspects of the invention.
WO 00/67460 _ g _ PCT/GB00/01676 BRIEF DESCRIPTION OF THE DRAWINGS
In order to show how the invention may be carried into effect, embodiments of the invention are now described below by way of example only and with reference to the accompanying figures in which:
s Figure 1 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the prior art;
Figure 2 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the present invention.
DETAILED DESCRIPTION OF INVENTION
io The method proposed here is illustrated in Figure 2. The EDPs 210 (in this example taking the form of Call Detail Records (CDRs)) again feed into a Poll 220 of information and the Poll information is used to update the values in the Recent profiles 230a-f In this case each entity has associated with it multiple Recent Profiles (six are shown but more or is fewer may be used), where each Recent profile represents a period of time within a week (though a larger or shorter base period could be used), for example Saturday and Sunday between midnight and Sam. The Recent Profiles together cover the whole of a week period. Each Recent Profile has a related Historic Profile 240a-f which covers the same time 2o period.
Recent Profiles are filled until they contain all the data for the time period they cover. Once filled the values are used to update the corresponding Historic profile, and then the Recent profile values are reset to zero, and filled with the next CDRs in the time covered by the profile.
2s For example, a customer of voice telephony may have the Recent profiles of behaviour illustrated in Table 3 and corresponding Historic profiles illustrated in Table 4.
Profile Period Calls National International Number Duration Duration s s WO 00/67460 _ 9 _ PCT/GB00/01676 1 Weekdays, 1 25 0 0:00 - 08:00 2 Weekdays, 10 500 400 08:00 - 18:00 3 Weekdays, 0 0 0 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 Weekends, 5 255 15 08:00 - 18:00 6 Weekends, 0 0 0 18:00 - 24:00 Table 3: Voice telephony recent profiles example Profile Period Calls National International Number Duration Duration s s 1 Weekdays, 1.5 30 2 0:00 - 08:00 2 Weekdays, 8.5 800 250 08:00 - 18:00 3 Weekdays, 2 25 15 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 5 Weekends, 2 25 19 08:00 - 18:00 6 Weekends, 0 0 0 WO 00/67460 _ 10 _ PCT/GB00/01676 18;00 - 24:00 Table 4: Voice telephony historic profiles example A collection of Event Data (CDRs) is then presented to the system. The CDRs cover lam on a Monday through to 1 pm on the same Monday. The previous collection of data presented to the system had contained a CDR
s for Sam on the same Monday.
The CDR at lam is added to Recent Profile 1. When this profile is 'complete' the historic profile is updated. When the next time period is entered its recent profile values are reset to zero and new values accumulated.
to The Recent and Historical profiles after the data has been processed areas illustrated in Tables 5 and 6 respectively.
Profile Period Calls National International Number Duration Duration s s '1 Weekdays, 2 355 0 0:00 - 08:00 2 Weekdays, 4 300 425 08:00 - 18:00 3 Weekdays, 0 0 0 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 Weekends, 5 255 15 08:00 - 18:00 6 Weekends, 0 0 0 18:00 - 24:00 Table 5: Voice telephony recent profiles after processing WO 00/67460 _ 1 1 _ PCT/GB00/01676 Profile Period Calls National International Number Duration Duration s s 1 Weekdays, 2.0 62.5 1.8 0:00 - 08:00 2 Weekdays, 8.05 750 267.5 08:00 - 18:00 3 Weekdays, 2 25 15 18:00 - 24:00 4 Weekends, 0 0 0 0:00 - 08:00 Weekends, 2 25 19 08:00 - 18:00 6 Weekends, 0 0 0 18:00 - 24:00 Table 6: Voice telephony historic profiles after processing The only Recent profiles changed are those that cover the same time s period as the CDRs in the poll namely periods 1 and 2. The only Historic profile changed is in period 1, the values in the Recent profile having been used to update the Historic profile. After updating the Historic profile, the Recent profile is then reset to zero before new CDR information is added to it.
to Historic profiles are only updated once the Recent profile has been filled with all the information for that time period. This means that the size of the Poll has no influence over the Historic profiles, and the Recent profiles can contain details for any sub-period of the time period they cover, or the whole time period.
WO 00/67460 _ 12 _ PCT/GB00/01676 The profiles of behaviour are converted into Event Densities before pattern recognition is performed on them. Event Densities are produced by dividing the event data value by the number of seconds in the period during which those events occurred. For example, Table 6 shows an s example set of Historic profile values and the corresponding event densities values where the period covered 14400 seconds (4 hours).
Period Calls National International Duration Duration Historic 10 200 s 300 s Profile Values Event 10 / 14400 200 / 14400 300 / 14400 Densities = 0.00069 = 0.00139 0.02083 Table 7: Voice telephony historic profiles after processing Event densities for historic profiles provide an average of behaviour over io the whole time period. This means that dividing by the number of seconds in the time period gives the normal amount of behaviour in any one second. These are generally small values.
Recent profiles however may or may not contain values for the whole the time period they cover. Frequently the Recent profile that is being is analysed is not yet complete. For example, if ten minutes of event data require analysing for the time period 9.15am to 9.25am then a recent profile that covers the time period Sam to 6pm will be updated, but the time period for this profile is not yet complete. As the period is incomplete the number of seconds to divide by is calculated as follows. The complete 2o time period is divided into blocks of time, for example 30 minutes. A usage period consists of x of these blocks of time. The event data in the current incomplete Recent profile is divided by the number of seconds in the blocks covered so far. So event data covering up to 9.25 am has covered three 30 minute blocks so far and the values are divided by 5400 seconds 2s (90 minutes). Conversion into densities enables pattern recognition to be performed over event data that covers just a portion of the total time period.
WO 00/67460 _ 13 _ PCT/GB00/01676 This method has the advantages that:
~ the polls of event data can be of any size whilst still allowing the profiles produced by the system to maintain their integrity;
~ polls of data for very small time periods can be handled easily;
s ~ the preceding two advantages have the consequence that the system is suitable for both real time feeds and bulk batch feeds of poll data;
~ there is consequently no burden on the end user to divide up the event data into fixed sized chunks; and to ~ the profiles represent accurately the behaviour of the user, including a representative of inactivity by the user, and a representation of the time of use.
This method may be used in several application areas. These include telephony fraud detection using call detail records (CDRs), anomaly is detection on data streams, network intrusion detection using audit log data or IP packet data. The method also provides a means of comparison between recent behaviour and past behaviour for event streams that has potentially wide application for the rapid detection of behavioural changes.
Any range or device value given herein may be extended or altered 2o without losing the effect sought, as will be apparent to the skilled person for an understanding of the teachings herein.
Claims (20)
1. A method of profiling a flow of event data packets comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a profile of recent behaviour for each of said sub-periods;
allocating each Event Data Packet received to one of said sub-periods according to a time indication associated with said Event Data Packet.
receiving data defining a plurality of sub-periods which partition a base time period;
creating a profile of recent behaviour for each of said sub-periods;
allocating each Event Data Packet received to one of said sub-periods according to a time indication associated with said Event Data Packet.
2. A method according to claim 1 comprising the steps of:
creating a profile of historical behaviour for each of said sub-periods;
at the end of said Base Time Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
creating a profile of historical behaviour for each of said sub-periods;
at the end of said Base Time Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
3. A method according to any one of claims 1 - 2 additionally comprising the step of:
calculating an Event density for at least one of said Recent profiles.
calculating an Event density for at least one of said Recent profiles.
4. A method according to claim 3 wherein said step of calculating an Event density comprises the steps of:
identifying a current time;
identifying a Recent profile within which said current time falls;
dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period associated with said Recent profile.
identifying a current time;
identifying a Recent profile within which said current time falls;
dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period associated with said Recent profile.
5. A method according to any one of claims 1 - 4, wherein said Event Data may correspond to time intervals of differing length.
6. A method according to any one of claims 1 - 5, whereby to capture a representation of inactivity within said flow.
7. A method according to any one of claims 1 - 6, whereby to permit trend analysis for an initial sub-period during said sub-period.
8. A method of performing anomaly detection on a stream of Event Data Packets and comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
allocating each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
allocating each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
9. A method of account fraud detection comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
receiving a series of Event Data Packets relating to account use;
allocating each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
receiving a series of Event Data Packets relating to account use;
allocating each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
10. A method of account fraud detection according to claim 9, wherein said account use relates to telecommunications network use.
11. A method of account fraud detection according to any one of claims 9 - 10, wherein said Event Data Packets are call detail records.
12. A method of network intrusion detection comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
receiving a series of Event Data Packets relating to account use;
allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
receiving a series of Event Data Packets relating to account use;
allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
13. A method of network intrusion detection according to claim 12, wherein said Event Data Packets relate to network audit log data.
14. A method of network intrusion detection according to claim 12, wherein said Event Data Packets relate to IP packet data.
15. A system for profiling a flow of event data packet polls comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create and store a Recent profile for each of said sub-periods;
allocating each Event Data Packet in said Poll to one of said sub-periods according to a time indication associated with said Event Data Packet.
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create and store a Recent profile for each of said sub-periods;
allocating each Event Data Packet in said Poll to one of said sub-periods according to a time indication associated with said Event Data Packet.
16. A system according to claim 15 arranged to receive a plurality of flows and to perform process each flow independently of each other.
17. A system for performing anomaly detection on a stream of Event Data Packets and comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a Recent profile for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a Recent profile for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
18. A system for account fraud detection comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
19. A system for of network intrusion detection comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
20. Software on a machine readable medium arranged for profiling a flow of event data packet polls by:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a profile of recent behaviour for each of said sub-periods;
allocating each Event Data Packet inset Poll to one of said sub-periods according to a time indication associated with said Event Data Packet.
receiving data defining a plurality of sub-periods which partition a base time period;
creating a profile of recent behaviour for each of said sub-periods;
allocating each Event Data Packet inset Poll to one of said sub-periods according to a time indication associated with said Event Data Packet.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB9910268.3 | 1999-05-04 | ||
GBGB9910268.3A GB9910268D0 (en) | 1999-05-04 | 1999-05-04 | Behavourial pattern recognition for event streams |
PCT/GB2000/001676 WO2000067460A1 (en) | 1999-05-04 | 2000-04-28 | Method and system for fraud detection in telecommunications |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2373017A1 true CA2373017A1 (en) | 2000-11-09 |
Family
ID=10852761
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002373017A Abandoned CA2373017A1 (en) | 1999-05-04 | 2000-04-28 | Method and system for fraud detection in telecommunications |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP1179260A1 (en) |
AU (1) | AU4588400A (en) |
CA (1) | CA2373017A1 (en) |
GB (1) | GB9910268D0 (en) |
IL (1) | IL146314A0 (en) |
WO (1) | WO2000067460A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7142651B2 (en) | 2001-11-29 | 2006-11-28 | Ectel Ltd. | Fraud detection in a distributed telecommunications networks |
GB0207392D0 (en) * | 2002-03-28 | 2002-05-08 | Neural Technologies Ltd | A configurable data profiling system |
US11062315B2 (en) | 2018-04-25 | 2021-07-13 | At&T Intellectual Property I, L.P. | Fraud as a service |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5375244A (en) * | 1992-05-29 | 1994-12-20 | At&T Corp. | System and method for granting access to a resource |
US5907602A (en) * | 1995-03-30 | 1999-05-25 | British Telecommunications Public Limited Company | Detecting possible fraudulent communication usage |
GB2303275B (en) * | 1995-07-13 | 1997-06-25 | Northern Telecom Ltd | Detecting mobile telephone misuse |
GB9715497D0 (en) * | 1997-07-22 | 1997-10-01 | British Telecomm | A telecommunications network |
-
1999
- 1999-05-04 GB GBGB9910268.3A patent/GB9910268D0/en not_active Ceased
-
2000
- 2000-04-28 AU AU45884/00A patent/AU4588400A/en not_active Abandoned
- 2000-04-28 EP EP00927481A patent/EP1179260A1/en not_active Withdrawn
- 2000-04-28 CA CA002373017A patent/CA2373017A1/en not_active Abandoned
- 2000-04-28 WO PCT/GB2000/001676 patent/WO2000067460A1/en active Application Filing
- 2000-04-28 IL IL14631400A patent/IL146314A0/en unknown
Also Published As
Publication number | Publication date |
---|---|
GB9910268D0 (en) | 1999-06-30 |
EP1179260A1 (en) | 2002-02-13 |
WO2000067460A1 (en) | 2000-11-09 |
AU4588400A (en) | 2000-11-17 |
IL146314A0 (en) | 2002-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7406161B2 (en) | System and method for real-time fraud detection within a telecommunication network | |
US5805686A (en) | Telephone fraud detection system | |
US8170947B2 (en) | Fraud detection based on call attempt velocity on terminating number | |
US7457401B2 (en) | Self-learning real-time prioritization of fraud control actions | |
US6597775B2 (en) | Self-learning real-time prioritization of telecommunication fraud control actions | |
JPH06350698A (en) | Monitoring method with utilization of communication network | |
CA2186182C (en) | Isochronal updating of data records | |
CA2373017A1 (en) | Method and system for fraud detection in telecommunications | |
US7631355B2 (en) | System and method for identifying extreme behavior in elements of a network | |
CN107086978A (en) | A kind of method and device for recognizing trojan horse | |
CN114338916B (en) | Theft-fighting alarm method and system | |
US20050246182A1 (en) | Configurable profiling of data | |
CN103188651A (en) | Information correlation method and device | |
KR20050026191A (en) | Telecommunication system using single-rate charging service, and single-rate charging apparatus and method therefor | |
JP2003522503A (en) | Data analysis in intelligent networks | |
AU2003218899A1 (en) | A hierarchical system for analysing data streams |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FZDE | Discontinued |